Sending @debian.org mails from Debian infrastructure

Due to the increasing amount of classic mailservers requiring a proper SPF/DKIM/DMARC setup to accept mails, DSA has set up an SMTP submission server.

The SMTP submission server is hosted on stravinsky.debian.org, on port 587, but it is recommended to use the CNAME mail-submit.debian.org for the submission service.

To send mail via this server, a Debian Member must have set a mailPassword on their account in LDAP. To do so, the only way is to request a new password via the LDAP Mail Gateway.

Change mailPassword

To do so, just send a GPG-signed mail in which the body contains the following sentence: "Please change my mail password" to chpasswd@db.debian.org. Something like echo "Please change my mail password" | gpg --clearsign | mail chpasswd@db.debian.org should do the job if your host knows how to send mail.

You'll receive an encrypted password by mail, and after between a few minutes and an hour, it'll be active on mail-submit.debian.org.

DKIM signature

Any mail sent via mail-submit.debian.org is DKIM-signed. The server adds an X-Debian-User: header that will contain the user whose password was used to authenticate to the server, and this header is covered by the DKIM signature. The signature is made on all mails the server considers it should handle (for now, debian.org, debconf.org and ftp-master.debian.org mails). It doesn't require any specific setup from the end users, except using the appropriate mail address for sending mails.

Client config

server: mail-submit.debian.org port: 587 login: your Debian username (not the mail) password: see upwards encryption: STARTTLS

Exim client configuration

Thanks to Colin Watson for the original snippets.

The below assumes that you are using the configuration files provided by Debian's exim4-config package. If not then you will need to adjust it to fit with your configuration.

If using the "split configuration" scheme, then the router below can be placed in /etc/exim4/conf.d/router/190_local_alternate_smarthosts. For exim4.conf.template, it should be placed immediately after the hubbed_hosts router.

# Send to different smarthosts depending on the From: address.
alternate_smarthost:
  debug_print = "R: alternate_smarthost for $local_part@$domain ($sender_address_domain)"
  driver = manualroute
  domains = ! +local_domains
  transport = remote_smtp_smarthost
  senders = nwildlsearch;CONFDIR/alternate_smarthosts
  route_data = ${lookup{$sender_address}nwildlsearch{CONFDIR/alternate_smarthosts}}
  host_find_failed = ignore
  same_domain_copy_routing = yes
  no_more

The alternate_smarthosts file should contain lines of the form:

^userid.*@debian\.org$: mail-submit.debian.org::587

The password should be stored in the /etc/exim4/passwd.client file. This requires hostnames that match reverse DNS, so mail-submit can unfortunately not be used. The line should be of the form:

stravinsky.debian.org:userid:password

or simply

*.debian.org:userid:password

Postfix as a client config

Thanks to Ganneff for the snippet:

In /etc/postfix/main.cf, make sure you have the following configuration (or adapt it if you already rely on postfix as a client for other stuff)

smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_loglevel = 1
smtp_tls_security_level = dane

sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_tls_security_options = noanonymous

Add mail-submit.debian.org as a relayhost when you send from @debian.org. In /etc/postfix/sender_relay:

@debian.org [mail-submit.debian.org]:587

Add the appropriate login/password in /etc/postfix/sasl_passwd:

@debian.org user:password

Run postmap on sender_relay and sasl_passwd, reload postfix, have fun.

For more intel, please read Postfix's client_sasl_sender's doc.

Mutt client configuration

Thanks to Alex Muntada.

Add this to .mutt//muttrc, update my_debian_uid and my_debian_pass variables, and restart Mutt:

set my_debian_uid  = 'my-debian-uid'
set my_debian      = "$my_debian_uid@debian.org"
set my_debian_smtp = "smtp://$my_debian_uid@mail-submit.debian.org:587"
set my_debian_pass = '...'

set my_debian_reply_hook = "my_hdr from: $my_debian"

reply-hook .                    "unmy_hdr from:"
reply-hook ~L$my_debian         $my_debian_reply_hook
reply-hook ~L.*@.*\.debian\.org $my_debian_reply_hook
reply-hook ~L.*@.*\.debian\.net $my_debian_reply_hook

set my_debian_send_hook = "\
    set smtp_url    = $my_debian_smtp \
        smtp_pass   = $my_debian_pass \
        sendmail    = ''"

send2-hook .                    "set sendmail=''"
send2-hook ~L$my_debian         $my_debian_send_hook
send2-hook ~L.*@debian\.org     $my_debian_send_hook
send2-hook ~L.*@.*\.debian\.org $my_debian_send_hook
send2-hook ~L.*@.*\.debian\.net $my_debian_send_hook

FAQ

Does the mail server check the From: header

No, you can put anything you want, but the X-Debian-User header will make it clear who sent the mail

Is the server an open relay

It's an unrestricted relay, which is different from an open relay.

As soon as you have a Debian Account, and a mail password configured in LDAP, you can send mails from it, even using your own mail domain. That being said, the DKIM signature won't work, and the server is not intended for that usage, so if people abuse it, we'll probably change this behaviour.

Do I need to do any configuration to have DKIM working properly, like I did for the user DKIM feature

No. That being said, if you intend to use mail-submit.debian.org, and you have already configured DKIM signing with your mail client or MTA, your mail will be signed twice and it's possible that one of the signatures will not validate.

This should not cause any issues; see https://datatracker.ietf.org/doc/html/rfc6376#section-4 for more details.